SHARE
TWEET

ldapauth

a guest Jun 25th, 2019 112 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // Package ldap provides a simple ldap client to authenticate,
  2. // retrieve basic information and groups for a user.
  3. package main
  4.  
  5. import (
  6.     "fmt"
  7.     "log"
  8.  
  9.     "gopkg.in/ldap.v3"
  10. )
  11.  
  12. func main() {
  13.     // The username and password we want to check
  14.     username := "jodo"
  15.     password := "7ujmsimme!"
  16.  
  17.     dc := "dc=smn,dc=local"
  18.     ldapserver := "dc.smn.local"
  19.     bindusername := "svc@smn.local"
  20.     bindpassword := "7ujmsimme!"
  21.     groups := []string{"Test", "WEB", "Web-local"}
  22.  
  23.     // Connect to LDAP-server
  24.     conn, err := connection(ldapserver, bindusername, bindpassword)
  25.     if err != nil {
  26.         log.Fatal(err)
  27.     }
  28.  
  29.     defer conn.Close()
  30.  
  31.     // Authenticate user
  32.     usr, err := authUser(conn, dc, username, password)
  33.  
  34.     if err != nil {
  35.         log.Fatal(err)
  36.     }
  37.  
  38.     if usr == true {
  39.         log.Printf("User: %s is authenticated", username)
  40.  
  41.         // Check if user is in the groups
  42.         grp, err := authGroup(conn, dc, username, groups)
  43.  
  44.         if err != nil {
  45.             log.Fatal(err)
  46.         }
  47.  
  48.         if grp == true {
  49.             log.Printf("Permission granted for %s", username)
  50.         } else {
  51.             log.Printf("Permission denied for %s - check the groups", username)
  52.         }
  53.  
  54.     }
  55.  
  56.     // Rebind as the read only user for any further queries
  57.     err = conn.Bind(bindusername, bindpassword)
  58.     if err != nil {
  59.         log.Fatal(err)
  60.     }
  61. }
  62.  
  63. func connection(ldapserver string, bindusername string, bindpassword string) (*ldap.Conn, error) {
  64.     // Connect to the LDAP-server
  65.     conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapserver, 389))
  66.     if err != nil {
  67.         return nil, err
  68.     }
  69.  
  70.     // Authenticate to the LDAP-server
  71.     err = conn.Bind(bindusername, bindpassword)
  72.     if err != nil {
  73.         return nil, err
  74.     }
  75.  
  76.     return conn, nil
  77. }
  78.  
  79. func authUser(conn *ldap.Conn, dc string, username string, password string) (bool, error) {
  80.     searchRequest := ldap.NewSearchRequest(
  81.         dc,
  82.         ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
  83.         fmt.Sprintf("(sAMAccountName=%s)", username),
  84.         []string{"dn", "cn"},
  85.         nil,
  86.     )
  87.  
  88.     sr, err := conn.Search(searchRequest)
  89.     if err != nil {
  90.         return false, err
  91.     }
  92.  
  93.     if len(sr.Entries) != 1 {
  94.         log.Fatal("User does not exist or too many entries returned")
  95.         return false, nil
  96.     }
  97.  
  98.     userdn := sr.Entries[0].DN
  99.  
  100.     // Bind as the user to verify their password
  101.     err = conn.Bind(userdn, password)
  102.     if err != nil {
  103.         return false, err
  104.     }
  105.     return true, nil
  106. }
  107.  
  108. func authGroup(conn *ldap.Conn, dc string, username string, groups []string) (bool, error) {
  109.     // Search if group is OK
  110.     for _, group := range groups {
  111.  
  112.         groupRequest := ldap.NewSearchRequest(
  113.             dc,
  114.             ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
  115.             fmt.Sprintf("(&(objectClass=user)(sAMAccountName=%s)(memberOf=CN=%s,%s))", username, group, dc),
  116.             []string{"dn", "cn"},
  117.             nil,
  118.         )
  119.  
  120.         gr, err := conn.Search(groupRequest)
  121.         if err != nil {
  122.             return false, err
  123.         }
  124.  
  125.         if len(gr.Entries) != 1 {
  126.             continue
  127.         } else if len(gr.Entries) == 1 {
  128.             return true, nil
  129.         }
  130.     }
  131.     return false, nil
  132. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top